Does Clear-Site-Data actually log users out?

It clears browser-side storage including cookies, localStorage, and cache. If your session is server-side (the server also needs to invalidate the session token), you must do both.

The wildcard clears cookies, localStorage, sessionStorage, IndexedDB, cache storage, and service worker registrations. It is the most thorough option.

Does Clear-Site-Data work on all browsers?

Chrome and Edge support it fully. Firefox supports it. Safari has partial support. Use it as an enhancement — always also clear cookies server-side.

Headers

Clear-Site-Data Header — Secure Logout Implementation

Updated April 2026

 Reading this? Verify your fix live. Scan your security headers → HeadersFixer

When a user logs out, their session cookie is deleted by your server — but their browser may still have localStorage tokens, service worker caches, and IndexedDB data. Clear-Site-Data wipes all of it in one header.

The header

# Clear everything (recommended for logout)
Clear-Site-Data: "cache", "cookies", "storage"

# Or use wildcard
Clear-Site-Data: "*"

# Clear only specific types
Clear-Site-Data: "cookies" # just cookies
Clear-Site-Data: "storage" # localStorage, sessionStorage, IndexedDB
Clear-Site-Data: "cache" # HTTP cache and service worker caches

Add to your logout endpoint

Express / Node.js

app.post("/api/logout", (req, res) => { // Invalidate server-side session req.session.destroy(); // Clear browser-side data res.setHeader("Clear-Site-Data", '"cache", "cookies", "storage"'); // Also clear the session cookie explicitly res.clearCookie("session"); res.json({ success: true });
});

FastAPI / Python

from fastapi import Response

@app.post("/api/logout")
def logout(response: Response): response.headers["Clear-Site-Data"] = '"cache", "cookies", "storage"' response.delete_cookie("session") return {"success": True}

Next.js App Router

// app/api/auth/logout/route.ts
import { NextResponse } from "next/server";

export async function POST() { const response = NextResponse.json({ success: true }); response.headers.set("Clear-Site-Data", '"cache", "cookies", "storage"'); response.cookies.delete("session"); return response;
}

Django

from django.contrib.auth import logout

def logout_view(request): logout(request) response = JsonResponse({"success": True}) response["Clear-Site-Data"] = '"cache", "cookies", "storage"' return response

What each value clears

Value	Clears
"cookies"	All cookies for the origin
"storage"	localStorage, sessionStorage, IndexedDB, Web SQL
"cache"	HTTP cache, service worker caches, CacheStorage
"executionContexts"	Reloads all open tabs for the origin
"*"	All of the above

Important — HTTPS required

Clear-Site-Data only works over HTTPS. On HTTP, browsers ignore it. This is intentional — clearing data over an insecure connection could be abused by network attackers.

Why server-side invalidation is still required

Clear-Site-Data clears browser storage — but your server must also invalidate the session token. If an attacker stole the token before logout, it would still work on the server unless you invalidate it server-side:

# Always do both:
# 1. Add Clear-Site-Data header to logout response
# 2. Invalidate the session on the server (delete from DB/Redis/etc.)
await redis.del(`session:${sessionId}`);

Scan your security headers → HeadersFixer

Check if your domain is on the HSTS preload list → HSTS Preload Checker